authorizationdb Defaults in macOS 10.14

The authorizationdb in macOS defines rules around who can do which tasks in macOS. These are per domain and the structure is similar to how preferences domains work. You can easily read domains using the security command followed by the authorizationdb key and the read verb, followed by the domain. In the following example, we’ll read the admin domain:

security authorizationdb read admin

You can then use this same command structure for all domains. The keys for each rights domain are as follows:

authenticate-admin

<dict><key>allow-root</key><false/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>Authenticate as an administrator.</string><key>created</key><real>538029218.67258</real><key>group</key><string>admin</string><key>modified</key><real>538029218.67258</real><key>session-owner</key><false/><key>shared</key><true/><key>timeout</key><integer>0</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

authenticate-admin-30

<dict><key>allow-root</key><false/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>Like the default rule, but credentials remain valid for only 30 seconds after they’ve been obtained. An acquired credential is shared by all clients.</string><key>created</key><real>538029218.67258</real><key>group</key><string>admin</string><key>modified</key><real>538029218.67258</real><key>session-owner</key><false/><key>shared</key><true/><key>timeout</key><integer>30</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

authenticate-admin-nonshared

<dict><key>allow-root</key><false/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>Authenticate as an administrator.</string><key>created</key><real>538029218.67258</real><key>group</key><string>admin</string><key>modified</key><real>538029218.67258</real><key>session-owner</key><false/><key>shared</key><false/><key>timeout</key><integer>30</integer><key>tries</key><integer>10000</integer><key>version</key><integer>1</integer></dict>

authenticate-developer

<dict><key>allow-root</key><false/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>Authenticate as a developer.</string><key>created</key><real>538029218.67258</real><key>group</key><string>_developer</string><key>modified</key><real>538029218.67258</real><key>session-owner</key><false/><key>shared</key><true/><key>timeout</key><integer>36000</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

authenticate-session-owner

<dict><key>allow-root</key><false/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>Authenticate as the session owner.</string><key>created</key><real>538029218.67258</real><key>modified</key><real>538029218.67258</real><key>session-owner</key><true/><key>shared</key><false/><key>timeout</key><integer>2147483647</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

authenticate-session-owner-or-admin

<dict><key>allow-root</key><false/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>Authenticate either as the owner or as an administrator.</string><key>created</key><real>538029218.67258</real><key>group</key><string>admin</string><key>modified</key><real>538029218.67258</real><key>session-owner</key><true/><key>shared</key><false/><key>timeout</key><integer>2147483647</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

authenticate-session-user

<dict><key>allow-root</key><false/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>Same as authenticate-session-owner.</string><key>created</key><real>538029218.67258</real><key>modified</key><real>538029218.67258</real><key>session-owner</key><true/><key>shared</key><false/><key>timeout</key><integer>2147483647</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

authenticate-staff-extract

<dict><key>allow-root</key><false/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>Authenticate as group staff + allow password to be extracted.</string><key>created</key><real>538029218.67258</real><key>extract-password</key><true/><key>group</key><string>staff</string><key>modified</key><real>538029218.67258</real><key>password-only</key><true/><key>require-apple-signed</key><true/><key>session-owner</key><false/><key>shared</key><false/><key>timeout</key><integer>0</integer><key>tries</key><integer>10000</integer><key>version</key><integer>1</integer></dict>

authenticate-webdeveloper

<dict><key>allow-root</key><false/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>Authenticate as a web developer.</string><key>created</key><real>538029218.67258</real><key>group</key><string>_webdeveloper</string><key>modified</key><real>538029218.67258</real><key>session-owner</key><false/><key>shared</key><true/><key>timeout</key><integer>36000</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

com.apple.CoreRAID.admin

<dict><key>class</key><string>rule</string><key>comment</key><string>Used by CoreRAID to allow access to administration functions of RAID devices</string><key>created</key><real>538029219.97001803</real><key>identifier</key><string>com.apple.CoreRAIDServer</string><key>modified</key><real>538029219.97001803</real><key>requirement</key><string>identifier “com.apple.CoreRAIDServer” and anchor apple</string><key>rule</key><array><string>root-or-entitled-admin-or-authenticate-admin</string></array><key>version</key><integer>0</integer></dict>

com.apple.DiskManagement.

<dict><key>class</key><string>rule</string><key>comment</key><string>Used by diskmanagementd to allow access to its privileged functions</string><key>created</key><real>538029218.67258</real><key>k-of-n</key><integer>1</integer><key>modified</key><real>538029218.67258</real><key>rule</key><array><string>is-root</string><string>is-admin</string><string>on-console</string><string>default</string></array><key>version</key><integer>0</integer></dict>

com.apple.DiskManagement.internal.

<dict><key>class</key><string>rule</string><key>comment</key><string>Used by diskmanagementd to allow access to its privileged functions</string><key>created</key><real>538029218.67258</real><key>k-of-n</key><integer>1</integer><key>modified</key><real>538029218.67258</real><key>rule</key><array><string>is-root</string><string>is-admin</string><string>default</string></array><key>version</key><integer>0</integer></dict>

com.apple.DiskManagement.reserveKEK

<dict><key>allow-root</key><true/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>Used by diskmanagementd to allow use of the reserve KEK.</string><key>created</key><real>538029218.67258</real><key>group</key><string>admin</string><key>modified</key><real>538029218.67258</real><key>session-owner</key><false/><key>shared</key><false/><key>timeout</key><integer>2147483647</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

com.apple.Safari.allow-apple-events-to-run-javascript

<dict><key>allow-root</key><false/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>This right is used by Safari to allow Apple Events to run JavaScript on web pages.</string><key>created</key><real>538029218.67258</real><key>modified</key><real>538029218.67258</real><key>session-owner</key><true/><key>shared</key><false/><key>timeout</key><integer>2147483647</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

com.apple.Safari.allow-javascript-in-smart-search-field

<dict><key>allow-root</key><false/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>This right is used by Safari to allow JavaScript to be used in the Smart Search Field.</string><key>created</key><real>538029218.67258</real><key>modified</key><real>538029218.67258</real><key>session-owner</key><true/><key>shared</key><false/><key>timeout</key><integer>2147483647</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

com.apple.Safari.allow-unsigned-app-extensions

<dict><key>allow-root</key><false/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>This right is used by Safari to allow unsigned extensions in the Develop Menu.</string><key>created</key><real>538029218.67258</real><key>modified</key><real>538029218.67258</real><key>session-owner</key><true/><key>shared</key><false/><key>timeout</key><integer>2147483647</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

com.apple.Safari.install-ephemeral-extensions

<dict><key>allow-root</key><false/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>This is the right used by Safari to install an ephemeral extension without a developer certificate present.</string><key>created</key><real>538029218.67258</real><key>modified</key><real>538029218.67258</real><key>session-owner</key><true/><key>shared</key><false/><key>timeout</key><integer>0</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

com.apple.Safari.show-credit-card-numbers

<dict><key>allow-root</key><false/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>This right is used by Safari to show credit card numbers.</string><key>created</key><real>538029218.67258</real><key>modified</key><real>538029218.67258</real><key>session-owner</key><true/><key>shared</key><false/><key>timeout</key><integer>10</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

com.apple.Safari.show-passwords

<dict><key>allow-root</key><false/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>This right is used by Safari to show passwords.</string><key>created</key><real>538029218.67258</real><key>modified</key><real>538029218.67258</real><key>session-owner</key><true/><key>shared</key><false/><key>timeout</key><integer>10</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

com.apple.ServiceManagement.blesshelper

<dict><key>allow-root</key><true/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>Used by the ServiceManagement framework to add a privileged helper tool to the system launchd.</string><key>created</key><real>538029218.67258</real><key>group</key><string>admin</string><key>modified</key><real>538029218.67258</real><key>session-owner</key><false/><key>shared</key><false/><key>timeout</key><integer>30</integer><key>tries</key><integer>10000</integer><key>version</key><integer>1</integer></dict></plist>

com.apple.ServiceManagement.daemons.modify

<dict><key>class</key><string>rule</string><key>comment</key><string>Used by the ServiceManagement framework to make changes to the system launchd’s set of daemons.</string><key>created</key><real>538029218.67258</real><key>k-of-n</key><integer>1</integer><key>modified</key><real>538029218.67258</real><key>rule</key><array><string>is-root</string><string>entitled-admin-or-authenticate-admin-nonshared</string></array><key>version</key><integer>1</integer></dict>

com.apple.SoftwareUpdate.modify-settings

<dict><key>class</key><string>rule</string><key>comment</key><string>Checked by the Admin framework when making changes to the Software Update preference pane.</string><key>created</key><real>538029218.67258</real><key>modified</key><real>538029218.67258</real><key>rule</key><array><string>root-or-entitled-admin-or-app-specific-admin</string></array><key>version</key><integer>0</integer></dict>

com.apple.SoftwareUpdate.scan

<dict><key>class</key><string>rule</string><key>comment</key><string>Checked when user is updating software.</string><key>created</key><real>538029218.67258</real><key>modified</key><real>538029218.67258</real><key>rule</key><array><string>root-or-entitled-admin-or-authenticate-admin</string></array><key>version</key><integer>0</integer></dict>

com.apple.activitymonitor.kill

<dict><key>class</key><string>rule</string><key>comment</key><string>Used by Activity Monitor to authorize killing processes not owned by the user.</string><key>created</key><real>538029218.67258</real><key>modified</key><real>538029218.67258</real><key>rule</key><array><string>entitled-admin-or-authenticate-admin</string></array><key>version</key><integer>0</integer></dict>

com.apple.desktopservices

<dict><key>allow-root</key><false/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>For privileged file operations from within the Finder.</string><key>created</key><real>538029218.67258</real><key>group</key><string>admin</string><key>modified</key><real>538029218.67258</real><key>session-owner</key><false/><key>shared</key><false/><key>timeout</key><integer>0</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

com.apple.desktopservices.scripted

<dict><key>allow-root</key><false/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>For scripting-initiated privileged file operations from within the Finder.</string><key>created</key><real>538029218.67258</real><key>group</key><string>admin</string><key>modified</key><real>538029218.67258</real><key>session-owner</key><false/><key>shared</key><false/><key>timeout</key><integer>0</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

com.apple.docset.install

<dict><key>allow-root</key><false/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>Used by Xcode to restrict access to a daemon it uses to install and update documentation sets.</string><key>created</key><real>538029218.67258</real><key>group</key><string>admin</string><key>modified</key><real>538029218.67258</real><key>session-owner</key><false/><key>shared</key><false/><key>timeout</key><integer>2147483647</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

com.apple.familycontrols.loginwindow.override

<dict><key>class</key><string>evaluate-mechanisms</string><key>comment</key><string>This right is checked when overriding a parental control restriction</string><key>created</key><real>538029866.46782303</real><key>identifier</key><string>com.apple.parentalcontrolsd</string><key>mechanisms</key><array><string>FamilyControls:invoke</string><string>FamilyControls:authenticate</string><string>FamilyControls:success</string></array><key>modified</key><real>538029866.46782303</real><key>requirement</key><string>identifier “com.apple.parentalcontrolsd” and anchor apple</string><key>shared</key><true/><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

com.apple.familycontrols.override

<dict><key>allow-root</key><false/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>This right is checked when overriding parental controls from a user account</string><key>created</key><real>538029866.37611794</real><key>group</key><string>admin</string><key>identifier</key><string>com.apple.parentalcontrolsd</string><key>modified</key><real>538029866.37611794</real><key>requirement</key><string>identifier “com.apple.parentalcontrolsd” and anchor apple</string><key>session-owner</key><false/><key>shared</key><false/><key>timeout</key><integer>5</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

com.apple.iBooksX.ParentalControl

<dict><key>allow-root</key><false/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>Checked when making changes to the Parental Controls for iBooks.</string><key>created</key><real>538029218.67258</real><key>group</key><string>admin</string><key>modified</key><real>538029218.67258</real><key>session-owner</key><false/><key>shared</key><false/><key>timeout</key><integer>2147483647</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

com.apple.icloud.passwordreset

<dict><key>allow-root</key><false/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>Authenticate as the session owner to reset iCloud password</string><key>created</key><real>538029218.67258</real><key>modified</key><real>538029218.67258</real><key>password-only</key><true/><key>session-owner</key><true/><key>shared</key><false/><key>timeout</key><integer>0</integer><key>tries</key><integer>10000</integer><key>version</key><integer>1</integer></dict>

com.apple.safaridriver.allow

<dict><key>class</key><string>rule</string><key>comment</key><string>This right is used by safaridriver to allow running it.</string><key>created</key><real>538029218.67258</real><key>k-of-n</key><integer>1</integer><key>modified</key><real>538029218.67258</real><key>rule</key><array><string>is-admin</string><string>is-webdeveloper</string><string>authenticate-webdeveloper</string></array><key>version</key><integer>1</integer></dict>

com.apple.server.admin.streaming

<dict><key>class</key><string>rule</string><key>comment</key><string>For making administrative requests to the QuickTime Streaming Server.</string><key>created</key><real>538029218.67258</real><key>k-of-n</key><integer>1</integer><key>modified</key><real>538029218.67258</real><key>rule</key><array><string>is-admin</string><string>authenticate-admin</string></array><key>version</key><integer>0</integer></dict>

com.apple.trust-settings.admin

<dict><key>allow-root</key><true/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>For modifying Trust Settings in the Local Admin domain.</string><key>created</key><real>538029218.67258</real><key>group</key><string>admin</string><key>modified</key><real>538029218.67258</real><key>session-owner</key><false/><key>shared</key><false/><key>timeout</key><integer>2147483647</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

com.apple.trust-settings.user

<dict><key>allow-root</key><true/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>For modifying Trust Settings in the Local Admin domain.</string><key>created</key><real>538029218.67258</real><key>group</key><string>admin</string><key>modified</key><real>538029218.67258</real><key>session-owner</key><false/><key>shared</key><false/><key>timeout</key><integer>2147483647</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

config.add.

<dict><key>class</key><string>allow</string><key>comment</key><string>Wildcard right for adding rights. Anyone is allowed to add any (non-wildcard) rights.</string><key>created</key><real>538029218.67258</real><key>modified</key><real>538029218.67258</real><key>version</key><integer>0</integer></dict>

config.config.

<dict><key>class</key><string>deny</string><key>comment</key><string>Wildcard right for any change to meta-rights for db modification. Not allowed programmatically (just edit this file).</string><key>created</key><real>538029218.67258</real><key>modified</key><real>538029218.67258</real><key>version</key><integer>0</integer></dict>

config.modify.

<dict><key>class</key><string>rule</string><key>comment</key><string>Wildcard right for modifying rights. Admins are allowed to modify any (non-wildcard) rights. Root does not require authentication.</string><key>created</key><real>538029218.67258</real><key>k-of-n</key><integer>1</integer><key>modified</key><real>538029218.67258</real><key>rule</key><array><string>is-root</string><string>authenticate-admin</string></array><key>version</key><integer>0</integer></dict>

config.remove.

<dict><key>class</key><string>rule</string><key>comment</key><string>Wildcard right for deleting rights. Admins are allowed to delete any (non-wildcard) rights. Root does not require authentication.</string><key>created</key><real>538029218.67258</real><key>k-of-n</key><integer>1</integer><key>modified</key><real>538029218.67258</real><key>rule</key><array><string>is-root</string><string>authenticate-admin</string></array><key>version</key><integer>0</integer></dict>

config.remove.system.

<dict><key>class</key><string>deny</string><key>comment</key><string>Wildcard right for deleting system rights.</string><key>created</key><real>538029218.67258</real><key>modified</key><real>538029218.67258</real><key>version</key><integer>0</integer></dict>

default

<dict><key>allow-root</key><false/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>Default rule. Credentials remain valid for 5 minutes after they’ve been obtained. An acquired credential is shared by all clients.</string><key>created</key><real>538029218.67258</real><key>group</key><string>admin</string><key>modified</key><real>538029218.67258</real><key>session-owner</key><false/><key>shared</key><true/><key>timeout</key><integer>300</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

is-admin

<dict><key>allow-root</key><false/><key>authenticate-user</key><false/><key>class</key><string>user</string><key>comment</key><string>Verify that the user asking for authorization is an administrator.</string><key>created</key><real>538029218.67258</real><key>group</key><string>admin</string><key>modified</key><real>538029218.67258</real><key>session-owner</key><false/><key>shared</key><true/><key>timeout</key><integer>2147483647</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

is-admin-nonshared

<dict><key>allow-root</key><false/><key>authenticate-user</key><false/><key>class</key><string>user</string><key>comment</key><string>Verify that the user asking for authorization is an administrator – nonshared right.</string><key>created</key><real>538029218.67258</real><key>group</key><string>admin</string><key>modified</key><real>538029218.67258</real><key>session-owner</key><false/><key>shared</key><false/><key>timeout</key><integer>2147483647</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

is-developer

<dict><key>allow-root</key><false/><key>authenticate-user</key><false/><key>class</key><string>user</string><key>comment</key><string>Verify that the user asking for authorization is a developer.</string><key>created</key><real>538029218.67258</real><key>group</key><string>_developer</string><key>modified</key><real>538029218.67258</real><key>session-owner</key><false/><key>shared</key><false/><key>timeout</key><integer>2147483647</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

is-root

<dict><key>allow-root</key><true/><key>authenticate-user</key><false/><key>class</key><string>user</string><key>comment</key><string>Verify that the process that created this AuthorizationRef is running as root.</string><key>created</key><real>538029218.67258</real><key>modified</key><real>538029218.67258</real><key>session-owner</key><false/><key>shared</key><false/><key>timeout</key><integer>2147483647</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

is-session-owner

<dict><key>allow-root</key><false/><key>authenticate-user</key><false/><key>class</key><string>user</string><key>comment</key><string>Verify that the requesting process is running as the session owner.</string><key>created</key><real>538029218.67258</real><key>modified</key><real>538029218.67258</real><key>session-owner</key><true/><key>shared</key><false/><key>timeout</key><integer>2147483647</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

is-webdeveloper

<dict><key>allow-root</key><false/><key>authenticate-user</key><false/><key>class</key><string>user</string><key>comment</key><string>Verify that the user asking for authorization is a web developer.</string><key>created</key><real>538029218.67258</real><key>group</key><string>_webdeveloper</string><key>modified</key><real>538029218.67258</real><key>session-owner</key><false/><key>shared</key><false/><key>timeout</key><integer>2147483647</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

sys.openfile.

<dict><key>allow-root</key><false/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>See authopen(1) for information on the use of this right.</string><key>created</key><real>538029218.67258</real><key>group</key><string>admin</string><key>modified</key><real>538029218.67258</real><key>session-owner</key><false/><key>shared</key><false/><key>timeout</key><integer>300</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

system.csfde.requestpassword

<dict><key>class</key><string>rule</string><key>comment</key><string>Used by CoreStorage Full Disk Encryption to request the user’s password.</string><key>created</key><real>538029218.67258</real><key>modified</key><real>538029218.67258</real><key>rule</key><array><string>authenticate-admin-or-staff-extract</string></array><key>version</key><integer>1</integer></dict>

system.device.dvd.setregion.initial

<dict><key>allow-root</key><false/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>Used by the DVD player to set the region code the first time. Note that changing the region code after it has been set requires a different right (system.device.dvd.setregion.change).</string><key>created</key><real>538029218.67258</real><key>group</key><string>admin</string><key>modified</key><real>538029218.67258</real><key>session-owner</key><false/><key>shared</key><true/><key>timeout</key><integer>2147483647</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

system.disk.unlock

<dict><key>class</key><string>evaluate-mechanisms</string><key>comment</key><string>Do not modify.</string><key>created</key><real>538029218.67258</real><key>mechanisms</key><array><string>DiskUnlock:prompt</string><string>DiskUnlock:unlock,privileged</string></array><key>modified</key><real>538029218.67258</real><key>shared</key><true/><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

system.identity.write.

<dict><key>class</key><string>rule</string><key>comment</key><string>For creating, changing or deleting local user accounts and groups.</string><key>created</key><real>538029218.67258</real><key>k-of-n</key><integer>1</integer><key>modified</key><real>538029218.67258</real><key>rule</key><array><string>is-admin</string><string>authenticate-admin</string></array><key>version</key><integer>0</integer></dict>

system.identity.write.credential

<dict><key>class</key><string>rule</string><key>comment</key><string>Checked when changing authentication credentials (password or certificate) for a local user account.</string><key>created</key><real>538029218.67258</real><key>modified</key><real>538029218.67258</real><key>rule</key><array><string>default</string></array><key>version</key><integer>0</integer></dict>

system.identity.write.self

<dict><key>allow-root</key><false/><key>authenticate-user</key><false/><key>class</key><string>user</string><key>comment</key><string>Checked when changing authentication credentials (password or certificate) for the current user’s account.</string><key>created</key><real>538029218.67258</real><key>modified</key><real>538029218.67258</real><key>session-owner</key><true/><key>shared</key><false/><key>timeout</key><integer>2147483647</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

system.install.app-store-software

<dict><key>class</key><string>rule</string><key>comment</key><string>Checked when user is installing software from the App Store.</string><key>created</key><real>538029218.67258</real><key>modified</key><real>538029218.67258</real><key>rule</key><array><string>entitled-appstore-or-entitled-authenticate-appstore</string></array><key>version</key><integer>0</integer></dict>

system.install.app-store-software.standard-user

<dict><key>allow-root</key><false/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>Checked when user is installing new software.</string><key>created</key><real>538029218.67258</real><key>entitled</key><true/><key>group</key><string>admin</string><key>modified</key><real>538029218.67258</real><key>session-owner</key><false/><key>shared</key><false/><key>timeout</key><integer>10</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

system.install.apple-software.standard-user

<dict><key>allow-root</key><false/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>Checked when user is installing new software.</string><key>created</key><real>538029218.67258</real><key>entitled</key><true/><key>group</key><string>admin</string><key>modified</key><real>538029218.67258</real><key>session-owner</key><false/><key>shared</key><false/><key>timeout</key><integer>10</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

system.install.software

<dict><key>allow-root</key><true/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>Checked when user is installing new software.</string><key>created</key><real>538029218.67258</real><key>group</key><string>admin</string><key>modified</key><real>538029218.67258</real><key>session-owner</key><false/><key>shared</key><false/><key>timeout</key><integer>300</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

system.keychain.create.loginkc

<dict><key>class</key><string>evaluate-mechanisms</string><key>comment</key><string>Used by the Security framework when you add an item to an unconfigured default keychain.</string><key>created</key><real>538029218.67258</real><key>mechanisms</key><array><string>loginKC:queryCreate</string><string>loginKC:showPasswordUI</string></array><key>modified</key><real>538029218.67258</real><key>shared</key><false/><key>tries</key><integer>10000</integer><key>version</key><integer>1</integer></dict>

system.keychain.modify

<dict><key>allow-root</key><false/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>Used by Keychain Access when editing a system keychain.</string><key>created</key><real>538029218.67258</real><key>group</key><string>admin</string><key>modified</key><real>538029218.67258</real><key>session-owner</key><false/><key>shared</key><true/><key>timeout</key><integer>30</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

system.login.console

<dict><key>class</key><string>evaluate-mechanisms</string><key>comment</key><string>Login mechanism based rule. Not for general use, yet.</string><key>created</key><real>538029218.67258</real><key>mechanisms</key><array><string>builtin:policy-banner</string><string>TeamViewerAuthPlugin:start</string><string>loginwindow:login</string><string>builtin:login-begin</string><string>builtin:reset-password,privileged</string><string>loginwindow:FDESupport,privileged</string><string>builtin:forward-login,privileged</string><string>builtin:auto-login,privileged</string><string>builtin:authenticate,privileged</string><string>PKINITMechanism:auth,privileged</string><string>builtin:login-success</string><string>loginwindow:success</string><string>HomeDirMechanism:login,privileged</string><string>HomeDirMechanism:status</string><string>MCXMechanism:login</string><string>CryptoTokenKit:login</string><string>loginwindow:done</string></array><key>modified</key><real>559753619.04678202</real><key>shared</key><true/><key>tries</key><integer>10000</integer><key>version</key><integer>7</integer></dict>

system.login.fus

<dict><key>class</key><string>evaluate-mechanisms</string><key>comment</key><string>Login mechanism based rule. Not for general use, yet.</string><key>created</key><real>538029218.67258</real><key>mechanisms</key><array><string>builtin:smartcard-sniffer,privileged</string><string>loginwindow:login</string><string>builtin:reset-password,privileged</string><string>builtin:auto-login,privileged</string><string>builtin:authenticate-nocred,privileged</string><string>loginwindow:success</string><string>loginwindow:done</string></array><key>modified</key><real>538029218.67258</real><key>shared</key><true/><key>tries</key><integer>10000</integer><key>version</key><integer>1</integer></dict>

system.login.screensaver

<dict><key>class</key><string>rule</string><key>comment</key><string>The owner or any administrator can unlock the screensaver, set rule to “authenticate-session-owner-or-admin” to enable SecurityAgent.</string><key>created</key><real>538029218.67258</real><key>modified</key><real>538029218.67258</real><key>rule</key><array><string>use-login-window-ui</string></array><key>version</key><integer>1</integer></dict>

system.preferences

<dict><key>allow-root</key><true/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>Checked by the Admin framework when making changes to certain System Preferences.</string><key>created</key><real>538029218.67258</real><key>group</key><string>admin</string><key>modified</key><real>538029218.67258</real><key>session-owner</key><false/><key>shared</key><true/><key>timeout</key><integer>2147483647</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

system.preferences.accessibility

<dict><key>allow-root</key><false/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>Checked when making changes to the Accessibility Preferences.</string><key>created</key><real>538029218.67258</real><key>group</key><string>admin</string><key>modified</key><real>538029218.67258</real><key>session-owner</key><false/><key>shared</key><false/><key>timeout</key><integer>0</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

system.preferences.accounts

<dict><key>allow-root</key><true/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>Checked by the Admin framework when making changes to the Users &amp; Groups preference pane.</string><key>created</key><real>538029218.67258</real><key>group</key><string>admin</string><key>modified</key><real>538029218.67258</real><key>session-owner</key><false/><key>shared</key><false/><key>timeout</key><integer>2147483647</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

system.preferences.continuity

<dict><key>class</key><string>rule</string><key>comment</key><string>Used by Password And Continuity PrefPane to request the user’s password.</string><key>created</key><real>538029218.67258</real><key>modified</key><real>538029218.67258</real><key>rule</key><array><string>authenticate-staff-extract-context</string></array><key>version</key><integer>0</integer></dict>

system.preferences.datetime

<dict><key>allow-root</key><true/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>Checked by the Admin framework when making changes to the Date &amp; Time preference pane.</string><key>created</key><real>538029218.67258</real><key>group</key><string>admin</string><key>modified</key><real>538029218.67258</real><key>session-owner</key><false/><key>shared</key><false/><key>timeout</key><integer>2147483647</integer><key>tries</key><integer>10000</integer><key>version</key><integer>1</integer></dict>

system.preferences.energysaver

<dict><key>allow-root</key><true/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>Checked by the Admin framework when making changes to the Energy Saver preference pane.</string><key>created</key><real>538029218.67258</real><key>group</key><string>admin</string><key>modified</key><real>538029218.67258</real><key>session-owner</key><false/><key>shared</key><true/><key>timeout</key><integer>2147483647</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

system.preferences.location

<dict><key>class</key><string>rule</string><key>comment</key><string>For changing the network location from the Apple menu.</string><key>created</key><real>538029218.67258</real><key>k-of-n</key><integer>1</integer><key>modified</key><real>538029218.67258</real><key>rule</key><array><string>on-console</string><string>is-admin</string><string>is-root</string></array><key>version</key><integer>0</integer></dict>

system.preferences.network

<dict><key>allow-root</key><true/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>Checked by the Admin framework when making changes to the Network preference pane.</string><key>created</key><real>538029218.67258</real><key>group</key><string>admin</string><key>modified</key><real>538029218.67258</real><key>session-owner</key><false/><key>shared</key><true/><key>timeout</key><integer>2147483647</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

system.preferences.parental-controls

<dict><key>allow-root</key><false/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>Checked when making changes to the Parental Controls preference pane.</string><key>created</key><real>538029218.67258</real><key>group</key><string>admin</string><key>modified</key><real>538029218.67258</real><key>session-owner</key><false/><key>shared</key><false/><key>timeout</key><integer>2147483647</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

system.preferences.printing

<dict><key>allow-root</key><true/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>Checked by the Admin framework when making changes to the Printing preference pane.</string><key>created</key><real>538029218.67258</real><key>group</key><string>admin</string><key>modified</key><real>538029218.67258</real><key>session-owner</key><false/><key>shared</key><true/><key>timeout</key><integer>2147483647</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

system.preferences.security

<dict><key>allow-root</key><true/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>Checked by the Admin framework when making changes to the Security preference pane.</string><key>created</key><real>538029218.67258</real><key>group</key><string>admin</string><key>modified</key><real>538029218.67258</real><key>session-owner</key><false/><key>shared</key><false/><key>timeout</key><integer>2147483647</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

system.preferences.sharing

<dict><key>allow-root</key><true/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>Checked by the Admin framework when making changes to the Sharing preference pane.</string><key>created</key><real>538029218.67258</real><key>group</key><string>admin</string><key>modified</key><real>538029218.67258</real><key>session-owner</key><false/><key>shared</key><true/><key>timeout</key><integer>2147483647</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

system.preferences.softwareupdate

<dict><key>allow-root</key><true/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>Checked by the Admin framework when making changes to the Software Update preference pane.</string><key>created</key><real>538029218.67258</real><key>group</key><string>admin</string><key>modified</key><real>538029218.67258</real><key>session-owner</key><false/><key>shared</key><true/><key>timeout</key><integer>2147483647</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

system.preferences.startupdisk

<dict><key>allow-root</key><true/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>Checked by the Admin framework when making changes to the Startup Disk preference pane.</string><key>created</key><real>538029218.67258</real><key>group</key><string>admin</string><key>modified</key><real>538029218.67258</real><key>session-owner</key><false/><key>shared</key><false/><key>timeout</key><integer>2147483647</integer><key>tries</key><integer>10000</integer><key>version</key><integer>1</integer></dict>

system.preferences.timemachine

<dict><key>allow-root</key><true/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>Checked by the Admin framework when making changes to the Time Machine preference pane.</string><key>created</key><real>538029218.67258</real><key>group</key><string>admin</string><key>modified</key><real>538029218.67258</real><key>session-owner</key><false/><key>shared</key><true/><key>timeout</key><integer>2147483647</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

system.privilege.admin

<dict><key>allow-root</key><true/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>Used by AuthorizationExecuteWithPrivileges(…). AuthorizationExecuteWithPrivileges() is used by programs requestingto run a tool as root (e.g., some installers).</string><key>created</key><real>538029218.67258</real><key>group</key><string>admin</string><key>modified</key><real>538029218.67258</real><key>session-owner</key><false/><key>shared</key><false/><key>timeout</key><integer>300</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

system.privilege.taskport

<dict><key>allow-root</key><false/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>Used by task_for_pid(…).Task_for_pid is called by programs requesting full control over another programfor things like debugging or performance analysis. This authorization only appliesif the requesting and target programs are run by the same user; it will neverauthorize access to the program of another user. WARNING: administrators are advised not to modify this right.</string><key>created</key><real>538029218.67258</real><key>group</key><string>_developer</string><key>modified</key><real>538029218.67258</real><key>session-owner</key><false/><key>shared</key><true/><key>timeout</key><integer>36000</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

system.privilege.taskport.debug

<dict><key>allow-root</key><false/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>For use by Apple. WARNING: administrators are advisednot to modify this right.</string><key>created</key><real>538029218.67258</real><key>group</key><string>_developer</string><key>modified</key><real>538029218.67258</real><key>session-owner</key><false/><key>shared</key><true/><key>timeout</key><integer>36000</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

system.privilege.taskport.safe

<dict><key>class</key><string>allow</string><key>comment</key><string>For use by Apple.</string><key>created</key><real>538029218.67258</real><key>modified</key><real>538029218.67258</real><key>version</key><integer>0</integer></dict>

system.restart

<dict><key>class</key><string>evaluate-mechanisms</string><key>comment</key><string>Checked if the foreground console user tries to restart the system while other users are logged in via fast-user switching.</string><key>created</key><real>538029218.67258</real><key>mechanisms</key><array><string>RestartAuthorization:restart</string><string>builtin:authenticate,privileged</string><string>RestartAuthorization:success</string></array><key>modified</key><real>538029218.67258</real><key>shared</key><true/><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

system.services.networkextension.filtering

<dict><key>allow-root</key><true/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>For making changes to the Content Filtering configuration using NetworkExtension.</string><key>created</key><real>538029218.67258</real><key>entitled-group</key><true/><key>group</key><string>admin</string><key>modified</key><real>538029218.67258</real><key>session-owner</key><false/><key>shared</key><false/><key>timeout</key><integer>2147483647</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer><key>vpn-entitled-group</key><true/></dict>

system.services.networkextension.vpn

<dict><key>allow-root</key><true/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>For making changes to the VPN configuration using NetworkExtension.</string><key>created</key><real>538029218.67258</real><key>entitled-group</key><true/><key>group</key><string>admin</string><key>modified</key><real>538029218.67258</real><key>session-owner</key><false/><key>shared</key><false/><key>timeout</key><integer>2147483647</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer><key>vpn-entitled-group</key><true/></dict>

system.services.systemconfiguration.network

<dict><key>allow-root</key><true/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>For making change to network configuration via System Configuration.</string><key>created</key><real>538029218.67258</real><key>entitled-group</key><true/><key>group</key><string>admin</string><key>modified</key><real>538029218.67258</real><key>session-owner</key><false/><key>shared</key><false/><key>timeout</key><integer>2147483647</integer><key>tries</key><integer>10000</integer><key>version</key><integer>1</integer><key>vpn-entitled-group</key><true/></dict>

system.sharepoints.

<dict><key>allow-root</key><true/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>Checked when making changes to the Sharepoints.</string><key>created</key><real>538029218.67258</real><key>group</key><string>admin</string><key>modified</key><real>538029218.67258</real><key>session-owner</key><false/><key>shared</key><true/><key>timeout</key><integer>2147483647</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

system.shutdown

<dict><key>class</key><string>evaluate-mechanisms</string><key>comment</key><string>Checked if the foreground console user tries to shut down the system while other users are logged in via fast-user switching.</string><key>created</key><real>538029218.67258</real><key>mechanisms</key><array><string>RestartAuthorization:shutdown</string><string>builtin:authenticate,privileged</string><string>RestartAuthorization:success</string></array><key>modified</key><real>538029218.67258</real><key>shared</key><true/><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>

use-login-window-ui

<dict><key>allow-root</key><false/><key>authenticate-user</key><true/><key>class</key><string>user</string><key>comment</key><string>Authenticate either as the owner or as an administrator.</string><key>created</key><real>538029218.67258</real><key>group</key><string>admin</string><key>modified</key><real>538029218.67258</real><key>session-owner</key><true/><key>shared</key><false/><key>timeout</key><integer>2147483647</integer><key>tries</key><integer>10000</integer><key>version</key><integer>0</integer></dict>